论文信息 - Improving the Security of CardSpace

Improving the Security of CardSpace

CardSpace (formerly known as InfoCard) is a digital identity management system that has recently been adopted by Microsoft. In this paper we identify two security shortcomings in CardSpace that could lead to a serious privacy violation. The first is its reliance on user judgements of the trustworthiness of service providers, and the second is its reliance on a single layer of authentication. We also propose a modification designed to address both flaws. The proposed approach is compatible with the currently deployed CardSpace identity metasystem and should enhance the privacy of the system whilst involving only minor changes to the current CardSpace framework. We also provide a security and performance analysis of the proposal.

Chris J. Mitchell | Waleed A. Alrodhan

[1] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[2] Phillip Hallam-Baker,et al. Web services security: soap message security , 2003 .

[3] Michael B. Jones,et al. Design Rationale behind the Identity Metasystem Architecture , 2007, ISSE.

[4] C. P. Schnorr,et al. Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[5] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[6] Chris J. Mitchell,et al. Addressing privacy issues in CardSpace , 2007, Third International Symposium on Information Assurance and Security.

[7] Elisa Bertino,et al. Establishing and protecting digital identity in federation systems , 2005, DIM '05.

[8] Alfred Menezes,et al. Handbook of Applied Cryptography , 2018 .

[9] Cédric Tabin,et al. Liberty Alliance Project , 2007 .

[10] Giovanni Della-Libera,et al. Web Services Trust Language (WS-Trust) , 2002 .

[11] Tzi-cker Chiueh,et al. Accurate Application-Specific Sandboxing for Win32/Intel Binaries , 2007 .

[12] K. Cameron. The Laws of Identity , 2005 .

[13] Amos Fiat,et al. Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[14] Amos Fiat,et al. Zero Knowledge Proofs of Identity , 1987, STOC.

[15] Giovanni Della-Libera,et al. Web Services Security Policy Language (WS-SecurityPolicy) , 2002 .